Friday, May 18, 2018

AndroidRAT: SpyNote


SpyNote is a free, Android RAT that establishes control over Android devices utilizing a user-friendly GUI. Key features include: view all messages, listen and record all audio, and query the phone location (GPS). 28 Samples have been identified In The Wild (ITW) with 1,334 known Command and Control Nodes, delivered by binding the payload to an existing Android Packages (APK) (i.e.: game, social media, or banking app). The apps are downloaded from the Google Play Store and can transmit Personally Identifiable Information (PII) from the infected device back to the threat actor’s server.


To read the full article and find an archive of related reporting can be found in READBOARD.


Wednesday, May 16, 2018

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: May 15, 2018
 
Wapack Labs identified connections from 713 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: May 15, 2018 

On 15 May 2018, Wapack Labs identified 527 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 


Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

Monday, May 7, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: May 7, 2018 

On 7 May 2018, Wapack Labs identified 59 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM



This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   


Reporting Period: May 7, 2018
 
Wapack Labs identified connections from 757 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, May 1, 2018

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: May 1, 2018
 
Wapack Labs identified connections from 629 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: May 1, 2018 

On 1 May 2018, Wapack Labs identified 75 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM


This TLP AMBER report is available only to Red Sky Alliance members.

Chinese Military Cyber Attack Research

Following identification of the PLA 54th Research Institute (54th RI) as a Chinese military cyberattack research entity, further research was conducted by Wapack Labs to identify its leadership and key researchers.   The current 54th RI Director was not found.  Maj Gen Hao Yeli is a former Director, but she has advanced to become Deputy Director of the PLA Fourth Department, under which the 54th RI is subordinated.  Maj Gen Lu Yueguang appears to be the current Deputy Director of the 54th RI.

A review of academic work by 54th RI personnel identified 37 articles and 8 patents that reflected research on cyberattack techniques. Two authors—Zhao Xinjie and Guo Shize—were by far the most prolific over the last ten years, accounting for 26 and 32 articles and patents related to cyberattack, respectively. Four other authors—Xiao Qixue, Wu Zhiyong, Wang Xiaojuan, and Niu Wei—had written four to eight articles or patents each.

Most of the papers found, described techniques for an attack against cryptographic protection systems.  These included side-channel attacks, cache timing attacks, algebraic fault attacks, and cube attacks.  If these publications are representative of the work being done inside the 54th RI, then the term “attack” appears to mean an attack on a cryptosystem to extract its keys, rather than a destructive attack.  Papers on cryptosystem attack technologies by the 54th RI authors were still being published in 2016-2018, indicating that development of these techniques is part of China’s present-day cyber strategy.

An archive of related reporting can be found in the Red Sky Alliance portal.

Monday, April 30, 2018

NIST 800-171 Self Assessment

Did you know that last week, Lockheed Martin won a $1 billion contract to build hypersonic aircraft and technologies? 

Did you also know that NIST 800-171 compliance is going to be required to participate on the contract?

I thought I might take an opportunity to present an 'easy button'. We took the NIST Assessment document and turned it into a no cost, no obligation, online Self Assessment.  Fill in the correct contact information (as opposed to fake contact information) and at the end, we'll send you your individual responses.

The self assessment is located here: https://www.surveymonkey.com/r/BKTXJ89

If you're a small business (<500 employees) and need help, you can ask questions in the 'Compliance Corner' in the Red Sky Small Business Alliance —also provided at no charge for small businesses: https://redsky-sba.ning.com/compliance-corner.

Good luck.
Jeff

Tuesday, April 24, 2018

Implication of Russian Sanctions


Summary

During March-April 2018, dozens of Russian diplomats were expelled; hundreds of Russian Troll Factory- related accounts banned; new travel and economic sanctions levied and more are expected. While Russia did expel diplomats symmetrically, it explores options for an asymmetric response ranging from intellectual property violations to cyberattacks.

Details

Blows Targeting Russia

In March 2018, 25 countries and NATO expelled dozens of Russian diplomats (intelligence officers) over an ex-spy poisoning case in the UK (Figure 1).*1 The US closed Russia's Seattle Consulate, and in response, Russia proportionally expelled the same number of diplomats and are closing the US Consulate in St. Petersburg.

On 15 March 2018, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) put five Russian entities and 19 individuals under sanctions for significant malicious cyber-enabled activities. This was prompted in part by the NotPetya attack and other cyber events. But the main focus was on the Internet Research Agency (IRA, also known as “Russian Troll Factory”) actors.

On 3 April 2018, Facebook and Instagram banned over 200 accounts which were connected to IRA. Most of the ban affected Russian-speaking accounts. Many were media-related and one was a Moscow local government account. According to Facebook, they “removed this latest set of Pages and accounts solely because they were controlled by the IRA, but not based on the content.”*2 Later in April, Reddit will join Twitter and Facebook in identifying and freezing IRA-related accounts.*3

On 6 April 2018, Trump's administration unleashed a new round of US-Ukraine related sanctions on Russia. This action resulted in Russian oligarchs losing close to $12 Billion in capitalization, and additionally, the Russian ruble lost part of its value.*4

Currently, new sanctions are being discussed and it is probable that the next round of sanctions will be in relation to the Russian collaboration of Syria’s use of chemical weapon against their opposition. Radical measures are being discussed to include placing Russia on the designated Foreign Terrorist Organizations (FTOs) list.

There are no signs of Russia stepping back. Publically Trump is sending signals that he desires a good relationship with Russia, yet both countries are using de-escalation mechanisms to avoid direct military conflict in Syria and other areas of the World.

Russia is and has been on a long-term trajectory to expand its influence. This strategy involves military actions and cyber operations to encompass: supporting rogue regimes of North Korea, Iran, Syria, and Venezuela; not abandoning their foothold in the Crimea; and, or dethroning Assad in Syria. So until these Russian diplomatic philosophies remain intact, relationships with the West will continue to deteriorate.

Russian Possible Response and Cyber

Russian actions and possible counter-actions are divided into five (5) important categories (diplomatic, kinetic, economic, information, and cyber):

1) Diplomatic actions included symmetric expulsion of Western diplomats. Russia is not cooperating in the investigations of chemical weapon use in Duma, Syria and with the ex-spy poisoning in the UK. Russia is trying to win new friends in Turkey and Austria.

2) Kinetic actions include continuation of low-scale military conflict in the Ukraine, successful expansion of Assad-controlled territories in Syria, and possible military bases in Sudan and other African countries.

3) Economic actions include expanding existing Russian programs of supporting entities under sanctions. Russia has a prepared bill to potentially target reciprocally Western corporations, and even to abolish Western patents and trademarks in Russia.*5 So far Russia is cautious with these measures as they are likely to backfire, but some steps in this direction are being initiated.

4) Information war includes continuation of the active information campaign towards the West. Dana White, the Chief US Pentagon Spokesperson noted that there was a 2,000 percent increase in Russian troll activity following the Syrian airstrikes.*6 At the same time, Russia has tighten the control over their Internet. On 16 April 2018, Russian censor agency banned Telegram messenger which refused to provide encryption keys. By 17 April 2018, the number of banned IPs grew to 16 million as Telegram started using Amazon and Google cloud services.*7 The Russian censor agency currently is threatening to audit and potentially ban Facebook, unless Facebook moves Russian users data to Russia and deletes unwanted information.*8

5) A cyber response from Russia is also likely as part of an asymmetric information war. Wapack Labs does not have much of immediate visibility into the current Russian APT moves, but we observe some inclinations from Russian hackers and we are learning much from the discovered Russian APT activities during the last 2-3 years.

Russia remains a save heaven for financially-motivated hackers that target other countries.

Both Russian APT groups and criminal hackers are using phishing and social engineering methods. For example, in April 2018, Wapack Labs reported how Russian spammers found a way to abuse the legitimate Email Report form for Google Analytics.*9

As Russia begins to censor Telegram messenger, several high profile Russian officials are publicly switching to ICQ. ICQ messenger is still popular among many hackers in different countries and is being controlled by Russia to offer valuable information regarding the cyber underground.
Russia is blamed for escalating cyber attacks as it became clear that Russia had a concerning foothold in the energy sector and in their networking equipment. US reported that since at least March 2016, Russian government cyber actors have targeted government entities and multiple US critical infrastructure sectors; including the energy, nuclear and other.*10

And a joint alert issued on 16 April 2018 by the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom's National Cyber Security Centre (NCSC) warns that Russian state-sponsored cyber actors are actively targeting home and enterprise routers. This alert provides an overview of Russian APT activity beginning in 2015 and ongoing in 2016 and 2017. Hacked devices ranged from small home routers to ISP-grade routers and firewalls, with attackers trying to hoard as many systems as possible. Attack vectors include Telnet, TFTP, SNMP, and SMI — protocols often found on routers, known to include vulnerabilities and easy to corrupt configuration options (see the Indicators table for the recorded IP indicators).*11

Conclusion

Relationships between Russia and the US constantly deteriorate and de-escalation mechanisms have only partially successful. In 2018, Russian information campaigns are of a concern (Russian Trolls); Russian state-sponsored hackers continue to be active; and new methods of spoofing and social engineering are being developed. Russian campaigns were discovered to compromise the US energy sector and networking infrastructure (routers). This prompted the US government to share information and help the wide range of industries to pay more attention. Wapack Labs will continue to monitor new Russian TTPs.

For questions or comments regarding this report, please contact the lab directly at 603-606-1246 or feedback@wapacklabs.com

*1 aa.com.tr/en/info/infographic/9483
*2 newsroom.fb.com/news/2018/04/authenticity-matters/ “Authenticity Matters: The IRA Has No Place on Facebook”
*3 www.reddit.com/wiki/suspiciousaccounts and www.reddit.com/r/announcements/comments/8bb85p/reddits_2017_transparency_report_and_suspec t/
*4 bloomberg.com/news/articles/2018-04-09/russia-s-richest-lose-16-billion-in-selloff-over-u-s- sanctions
*5 sozd.parliament.gov.ru/bill/441399-7 [in Russian]
*6 www.dailymail.co.uk/news/article-5615877/Russian-troll-activity-increases-2-000-Syrian- airstrikes.html
*7 www.bleepingcomputer.com/news/government/russia-bans-18-million-amazon-and-google-ips-in- attempt-to-block-telegram/
*8 iz.ru/733380/siuzanna-farizova/so-svobodoi-vse-khorosho-s-otvetstvennostiu-plokho [in Russian] 
*9 ctac-01.tac.wapacklabs.com/f5-w-68747470733a2f2f31302e302e312e3532$$/IR-18-095- 001_Russian_Spam_from_Google_Analytics
*10 www.us-cert.gov/ncas/alerts/TA18-074A Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. March 15, 2018
*11 www.us-cert.gov/ncas/alerts/TA18-106A

Monday, April 23, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: April 23, 2018 

On 23 April 2018, Wapack Labs identified 1,037 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   


Reporting Period: April 23, 2018
 
Wapack Labs identified connections from 1,994 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 

This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, April 17, 2018

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   


Reporting Period: April 16, 2018
 
Wapack Labs identified connections from 706 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: April 16, 2018 

On 16 April 2018, Wapack Labs identified 53 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM



This TLP AMBER report is available only to Red Sky Alliance members.

Monday, April 16, 2018

New Pony Loader Obfuscation Technique via Smoke Loader

Cyber actors are leveraging the infamous Smoke Loader downloader to deliver several malware families to include: Zeus, Neutrino, Chthonic banking trojan and crypto mining software.  The RIG exploit kit (EK) developers are currently using this downloader to deliver the Monero coin miner.   Attackers are now delivering the Pony/Fareit malware via the PowerArchiver compressor (XXEncode 0.0), which significantly reduces the rate of detection by anti-virus vendors (less than six vendors) and the file format is detected as a text file.    Wapack Labs identified the secondary command and control (C2) infrastructure which continues to be developed by operators.

An archive of related reporting can be found in the Red Sky Alliance portal.